Axiomatizing GSOS with Predicates* 



Luca Aceto Georgiana Caltais Eugen-Ioan Goriac Anna Ingolfsdottir 

[luca.gcaltaislO, egoriaclO, annai] @ru. is 
ICE-TCS, School of Computer Science, Reykjavik University, Iceland 

In this paper, we introduce an extension of the GSOS rule format with predicates such as termination, 
convergence and divergence. For this format we generalize the technique proposed by Aceto, Bloom 
and Vaandrager for the automatic generation of ground-complete axiomatizations of bisimilarity over 
GSOS systems. Our procedure is implemented in a tool that receives SOS specifications as input and 
derives the corresponding axiomatizations automatically. This paves the way to checking strong 
bisimilarity over process terms by means of theorem-proving techniques. 

1 Introduction 

One of the greatest challenges in computer science is the development of rigorous methods for the speci- 
fication and verification of reactive systems, i.e., systems that compute by interacting with their environ- 
ment. Typical examples include embedded systems, control programs and distributed communication 
protocols. Over the last three decades, process algebras, such as ACP JH, CCS lfl6l and CSP lfl4l . 
have been successfully used as common languages for the description of both actual systems and their 
specifications. In this context, verifying whether the implementation of a reactive system complies to 
its specification reduces to proving that the corresponding process terms are related by some notion of 
behavioural equivalence orpreorder lfl3l . 

One approach to proving equivalence between two terms is to exploit the equational style of reason- 
ing supported by process algebras. In this approach, one obtains a (ground-)complete axiomatization 
of the behavioural relation of interest and uses it to prove the equivalence between the terms describing 
the specification and the implementation by means of equational reasoning, possibly in conjunction with 
proof rules to handle recursively-defined process specifications. 

Finding a "finitely specified", (ground-)complete axiomatization of a behavioural equivalence over 
a process algebra is often a highly non-trivial task. However, as shown in ||2l in the setting of bisimilar- 
ity ifTrjlfTTl . this process can be automated for process languages with an operational semantics given in 
terms of rules in the GSOS format of Bloom, Istrail and Meyer [8 ]. In that reference, Aceto, Bloom and 
Vaandrager provided an algorithm that, given a GSOS language as input, produces as output a "conser- 
vative extension" of the original language with auxiliary operators together with a finite axiom system 
that is sound and ground-complete with respect to bisimilarity (see, e.g., JT] [121 US] [TBI for further re- 
sults in this line of research). As the operational specification of several operators often requires a clear 
distinction between successful termination and deadlock, an extension of the above-mentioned approach 
to the setting of GSOS with a predicate for termination was proposed in O. 
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In this paper we contribute to the line of the work in and @. Inspired by (6j , we introduce 
the preg rule format, a natural extension of the GSOS format with an arbitrary collection of predicates 
such as termination, convergence and divergence. We further adapt the theory in Q to this setting 
and give a procedure for obtaining ground-complete axiomatizations for bisimilarity over preg systems. 
More specifically, we develop a general procedure that, given a preg language as input, automatically 
synthesizes a conservative extension of that language and a finite axiom system that, in conjunction 
with an infinitary proof rule, yields a sound and ground-complete axiomatization of bisimilarity over the 
extended language. The work we present in this paper is based on the one reported in O |6]|. However, 
handling more general predicates than immediate termination requires the introduction of some novel 
technical ideas. In particular, the problem of axiomatizing bisimilarity over a preg language is reduced to 
that of axiomatizing that relation over finite trees whose nodes may be labelled with predicates. In order 
to do so, one needs to take special care in axiomatizing negative premises in rules that may have positive 
and negative premises involving predicates and transitions. 

The results of the current paper have been used for the implementation of a Maude ifTOl tool 
that enables the user to specify preg systems in a uniform fashion, and that automatically derives the 
associated axiomatizations. The tool is available at |http : //goriac . inf o/toois/preg-axiomatizer7 { This 
paves the way to checking bisimilarity over process terms by means of theorem-proving techniques for 
a large class of systems that can be expressed using preg language specifications. 

Paper structure. In Section |2] we introduce the preg rule format. In Section [3] we introduce an appro- 
priate "core" language for expressing finite trees with predicates. We also provide a ground-complete 
axiomatization for bisimilarity over this type of trees, as our aim is to prove the completeness of our fi- 
nal axiomatization by head normalizing general preg terms, and therefore by reducing the completeness 
problem for arbitrary languages to that for trees. 

Head normalizing general preg terms is not a straightforward process. Therefore, following ||2), in 
Section 0] we introduce the notion of smooth and distinctive operation, adapted to the current setting. 
These operations are designed to "capture the behaviour of general preg operations", and are defined by 
rules satisfying a series of syntactic constraints with the purpose of enabling the construction of head 
normalizing axiomatizations. Such axiomatizations are based on a collection of equations that describe 
the interplay between smooth and distinctive operations, and the operations in the signature for finite 
trees. The existence of a sound and ground-complete axiomatization characterizing the bisimilarity of 
preg processes is finally proven in Section [5] A technical discussion on why it is important to handle 
predicates as first class notions, instead of encoding them by means of transition relations, is presented 
in Section [6] In Section [7] we draw some conclusions and provide pointers to future work. 

2 GSOS with predicates 

In this section we present the preg systems which are a generalization of GSOS (H systems. 

Consider a countably infinite set V of process variables (usually denoted by x, y, z) and a signature 
£ consisting of a set of operations (denoted by /, g). The set of process terms T(S) is inductively defined 
as follows: each variable x € V is a term; if / € £ is an operation of arity /, and ft Si,..., Si are terms, 
then /(Si, . . . ,S/) is a term. We write T(S) in order to represent the set of closed process terms (i.e., 
terms that do not contain variables), ranged over by t, s. A substitution a is a function of type V — > T(S). 
If the range of a substitution is included in T(£), we say that it is a closed substitution. Moreover, we 
write [x t-> t] to represent a substitution that maps the variable x to the term t. Let x = xi, . . . ,x n be 
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a sequence of pairwise distinct variables. A ^-context C[x\ is a term in which at most the variables x 
appear. For instance, f(x,f(x,c)) is a E-context, if the binary operation / and the constant c are in E. 

Let A be a finite, nonempty set of actions (denoted by a, b, c). A positive transition formula is a 
triple (S,a,S ! ) written S A- S', with the intended meaning: process S performs action a and becomes 
process S'. A negative transition formula (S, a) written S states that process 5 cannot perform action 
a. Note that S, S' may contain variables. The "intended meaning" applies to closed process terms. 

We now define preg - predicate extension of the GSOS rule format. Let V be a finite set of predicates 
(denoted by P,Q). A positive predicate formula is a pair (P,S), written PS, saying that process S 
satisfies predicate P. Dually, a negative predicate formula ->PS states that process S does not satisfy 
predicate P. 

Definition 1 (preg rule format). Consider A, a set of actions, and V, a set of predicates. 

1. A preg transition rule for an l-ary operation f is a deduction rule of the form: 

{xi ^ yij | i G I + ,j G If] {PijXi | i G J+,j G J+} 
{x,-^ \i€l~,beBi} {->Qxi\i G J~,Q G QJ 
f(xi,...,xi) -^C[x,y\ 

where 

(a) Xi,...,Xi and y^ J + ) are pairwise distinct variables; 

(b) I + , J + ,/~, J~ CL = {1,...,/} and each if and is finite; 

(c) aij,b and c are actions in A(B{ C A); and 

(d) Pij and Q are predicates in V (Qi C.V). 

2. A preg predicate rule for an l-ary operation f is a deduction rule similar to the one above, with 
the only difference that its conclusion has the form P(/(xi, . . . ,X[))for some P G "P. 

Let p be a preg (transition or predicate) rule for /. The symbol / is the principal operation of p. 
All the formulas above the line are antecedents and the formula below is the consequent. We say that 
a position i for p is tested positively if i G I + U J + and U Jf ^ 0. Similarly, i is tested negatively 
if % G I~ U J - and B{ U Qi ^ 0. Whenever p is a transition rule for /, we say that f(x) is the source, 
C[x,y\ is the target, and c is the action of p. Whenever p is a predicate rule for /, we call f(x) the test 
of p. 

In order to avoid confusion, if in a certain context we use more than one rule, e.g. p, p' , we parame- 
terize the corresponding sets of indices with the name of the rule, e.g., /+, JZ. 

Definition 2 (preg system). A preg system is a pair G = (Eg,72.g), where Eg is a finite signature 
and TZg = ^g'-'^G iJ a finite set of preg raZes over Ec (TZq and IZq represent the transition and, 
respectively, the predicate rules of G). 

Consider a preg system G. Formally, the operational semantics of the closed process terms in G 
is fully characterized by the relations — >g Q T(Y,g) x A x T(Eg) and k g CPx T(Ec), called the 
(unique) sound and supported transition and, respectively, predicate relations. Intuitively, soundness 
guarantees that — >g an d are closed with respect to the application of the rules in TZg on ^(^g)> 
— ><3 (resp. kg) contains the set of all possible transitions (resp. predicates) process terms in T(Ec) can 
perform (resp. satisfy) according to TZg- The requirement that — >g an d be supported means that all 
the transitions performed (resp. all the predicates satisfied) by a certain process term can be "derived" 
from the deductive system described by TZg- As a notational convention, we write S — >g S' and PgS 
whenever (S, a, S') G — >g an d (P, S) G Kg- We omit the subscript G when it is clear from the context. 
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Lemma 1. Let G be a preg system. Then, for each t £ T(£c) the set {(a,t') \t A-t', ct £ .4} is finite. 

Next we introduce the notion of bisimilarity - the equivalence over processes we consider in this 
paper. 

Definition 3 (Bisimulation). Consider a preg system G = (Y^g^g)- A symmetric relation R C T(£g) x 
T(Xg) " a bisimulation iff: 

1. for all s,t,s' € T(Y<g), whenever (s,t) € i? awe? s A s' for some a € A f/iere is some t' € 
T(Sg) such that t A- i' a«c? (s',t') £ i?; 

2. whenever (s,t) € i? an J -Ps (P € T 7 ) Pt. 

Two closed terms s and t are bisimilar ( written s ~ t) iff there is a bisimulation relation R such that 
(s,t) G R. 

Proposition 1. Let G be a preg system. Then ~ is an equivalence relation and a congruence for all 
operations f of G. 

Definition 4 (Disjoint extension). A preg system G' is a disjoint extension of a preg system G, written 
G C G', if the signature and the rules of G 1 include those of G, and G' does not introduce new rules for 
operations in G. 

It is well known that if G C G' then two terms in T(Y<g) are bisimilar in G if and only if they are 
bisimilar in G' . 

From this point onward, our focus is to find a sound and ground-complete axiomatization of bisimi- 
larity on closed terms for an arbitrary preg system G, i.e., to identify a (finite) axiom system Eg so that 
Eg \~ s = t iff s ~ t for all s,t G r(Sc). The method we apply is an adaptation of the technique in to 
the preg setting. The strategy is to incrementally build a finite, head-normalizing axiomatization for gen- 
eral preg terms, i.e., an axiomatization that, when applied recursively, reduces the completeness problem 
for arbitrary terms to that for synchronization trees. This way, the proof of ground-completeness for G 
reduces to showing the equality of closed tree terms. 

3 Preliminary steps towards the axiomatization 

In this section we start by identifying an appropriate language for expressing finite trees with predicates. 
We continue in the style of O, by extending the language with a kind of restriction operator used for 
expressing the inability of a process to perform a certain action or to satisfy a given predicate. (This oper- 
ator is used in the axiomatization of negative premises.) We provide the structural operational semantics 
of the resulting language, together with a sound and ground-complete axiomatization of bisimilarity on 
finite trees with predicates. 

3.1 Finite trees with predicates 

The language for trees we use in this paper is an extension with predicates of the language BCCSP lfT3l . 
The syntax of BCCSP consists of closed terms built from a constant 6 (deadlock), the binary operator _+_ 
(nondeterministic choice), and the unary operators a._ (action prefix), where a ranges over the actions 
in a set A. Let V be a set of predicates. For each PgP we consider a process constant Kp, which 
"witnesses" the associated predicate in the definition of a process. Intuitively, Kp stands for a process 
that only satisfies predicate P and has no transition. 
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A finite tree term t is built according to the following grammar: 

t::=5\ k p (VP € V) \ a.t (Va eA)\t + t. (1) 

Intuitively, S represents a process that does not exhibit any behaviour, s + 1 is the nondeterministic 
choice between the behaviours of s and t, while a.t is a process that first performs action a and behaves 
like t afterwards. The operational semantics that captures this intuition is given by the rules of BCCSP: 

a I a I 

— (rh) 5— (rl 2 ) — s— (W 3 ) 



a.x — > x x + y — > x' x + y-^-y' 

Figure 1: The semantics of BCCSP 



As our goal is to extend BCCSP, the next step is to find an appropriate semantics for predicates. As 
can be seen in Fig. \T\ action performance is determined by the shape of the terms. Consequently, we 
choose to define predicates in a similar fashion. 

Consider a predicate P and the term t = up. As previously mentioned, the purpose of Kp is to 
witness the satisfiability of P. Therefore, it is natural to consider that kp satisfies P. 

Take for example the immediate termination predicate \.. As a term s + s' exhibits the behaviour 
of both s and s', it is reasonable to state that (s + s') I if s I or s' Note that for a term t = a.t' the 
statement t J, is in contradiction with the meaning of immediate termination, since t can initially only 
execute action a. Predicates of this kind are called explicit predicates in what follows. 

Consider now the eventual termination predicate ^. In this situation, it is proper to consider that 
(s + 1)^ if s*j or f/ and, moreover, that a.s^ if s*j. We refer to predicates such as 'j as implicit predicates 
(that range over a set V x included in V), since their satisfiability propagates through the structure of tree 
terms in an implicit fashion. We denote by Ap (included in A) the set consisting of the actions a for 
which this behaviour is permitted when reasoning on the satisfiability of predicate P. 

The rules expressing the semantics of predicates are: 

p — (rh) ~p(~T \ (rh) -p^— (rk) p^r.VP € V x Va £ A P (rl 7 ) 
Pkp P(x + y) P[x + y) P{a.x) 



Figure 2: The semantics of predicates 



The operational semantics of trees with predicates is given by the set of rules (rh)-(rh) illustrated 
in Fig. [T]and Fig. [2] For notational consistency, we make the following conventions. Let A be an action 
set and V a set of predicates. Sftp represents the signature of finite trees with predicates. T{T,ftp) is 
the set of (closed) tree terms built over T,fjp, and IZftp is the set of rules (rh)-(rlj). Moreover, by FTP 
we denote the system (Y<ftp,71ftp)- 

Discussion on the design decisions. At first sight, it seems reasonable for our framework to allow for 
language specifications containing rules of the shape p ^ x+y y or just one of (rh) and (rk). We decided, 
however, to disallow them, as their presence would invalidate standard algebraic properties such as the 
idempotence and the commutativity of _+_. 
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Without loss of generality we avoid rules of the form p ^ x y As far as the user is concerned, in order 
to express that a.x satisfies a predicate P, one can always add the witness Kp as a summand: a.x + Kp. 
This decision helped us avoid some technical problems for the soundness and completeness proofs for 
the case of the restriction operator <9b,q, which is presented in Section [331 

Due to the aforementioned restriction, we also had to leave out universal predicates with rules of the 
form p( x +y^ ■ However, the elimination of universal predicates is not a theoretical limitation to what one 
can express, since a universal predicate can always be defined as the negation of an existential one. 

As a last approach, we thought of allowing the user to specify existential predicates using rules of 
the form P ph^y (*) an d P p y ( x +y) (**) ( mstea d of (W5) and (tIq)). However, in order to maintain the 
validity of the axiom x + x = x in the presence of rules of these forms, it would have to be the case that 
one of the predicates Pj in the premises is P itself. (If that were not the case, then let t be the sum of 
the constants witnessing the Pj's for a rule of the form (*) above with a minimal set of set premises. We 
have that t + t satisfies P by rule (*). On the other hand, Pt does not hold since none of the P t is equal 
to P and no rule for P with a smaller set of premises exists.) Now, if a rule of the form (*) has a premise 
of the form Px, then it is subsumed by (W5) which we must have to ensure the validity of laws such as 

Hp = Hp + Hp. 

3.2 Axiomatizing finite trees 

In what follows we provide a finite sound and ground-complete axiomatization (E FT p) for bisimilarity 
over finite trees with predicates. 

The axiom system E FTP consists of the following axioms: 

x + y = y + x (Ai) x + x = x (A3) 

(x + y) + z = x + (y + z) (A 2 ) x + 8 = x (At) 
a.(x + n P ) = a.(x + K P ) + K P ,\/P E V 1 Va G Ap (A 5 ) 

Figure 3: The axiom system Eppp 

Axioms (A\)-(Ai) are well-known |[T6ll . Axiom (A5) describes the propagation of witness constants 
for the case of implicit predicates. 

We now introduce the notion of terms in head normal form. This concept plays a key role in the 
proofs of completeness for the axiom systems generated by our framework. 

Definition 5 (Head Normal Form). Let Tube a signature such that T,ppp C E. A term t in T(E) is in head 
normal form (for short, h.n.f. ) if 

t = ctj.i j + k p- , and the Pj are all the predicates satisfied by t. 

iei jeJ 

The empty sum (I = 0, J = 0) is denoted by the deadlock constant 5. 
Lemma 2. Efjp is head normalizing for terms in T(Yiftp). That is, for all t in T(Y,fTp), there exists t' 
in T{Tiftp) in h.n.f. such that Epjp h t = t' holds. 

Proof. The reasoning is by induction on the structure of t. □ 

Theorem 1. Eppp is sound and ground-complete for bisimilarity on T(£/?tp). That is, it holds that 
(Vi,f G r(5W)) .Eptp ht = t'ifft~ t. 
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3.3 Axiomatizing negative premises 

A crucial step in finding a complete axiomatization for preg systems is the "axiomatization" of negative 
premises (of the shape x -<Px). In the style of (H, we introduce the restriction operator &b,q, where 
B C A and Q C V are the sets of initially forbidden actions and predicates, respectively. The semantics 
of djs : Q is given by the two types of transition rules in Fig.@] 

a I r> 

rp \ j.' HT 

if a # B (rl 8 ) -— . .. if P Q (rl 9 ) 



Figure 4: The semantics of 8b,q 



Note that &b,q behaves like the one step restriction operator in for the actions in B, as the re- 
striction on the action set disappears after one transition. On the other hand, for the case of predicates in 
Q, the operator 8b,q resembles the CCS restriction operator |[T6l since, due to the presence of implicit 
predicates, not all the restrictions related to predicate satisfaction necessarily disappear after one step, as 
will become clear in what follows. 

We write E FTP for the extension of Eftp with the axioms involving &b,q presented in Fig. [5] 7Z FTP 
stands for the set of rules (rl\)— (rig), while FTP 9 represents the system (Yi FTP ,1Z FTP ). 

9b,q(S) = 5 (A 6 ) dB,Q(a.x) = Y,p f tQ,p( a .x) K P tfaeB (A 9 ) 

d B , Q {K P ) = 5 if Peg (A 7 ) d B , Q (a.x) = d m (a.x) iia^B (A 10 ) 
9b,q(kp) = kp if P^Q (A 8 ) d 9tQ (a.x) = a.d^ QnpI (x) (An) 
dB,Q(x + y) = d B ,Q(x) + d B ,Q(y) (A 12 ) 

Figure 5: The axiom system E FTP \Epjp 



Axiom (Aq) states that it is useless to impose restrictions on 5, as 5 does not exhibit any behaviour. 
The intuition behind (Aj) is that since a predicate witness up does not perform any action, inhibiting 
the satisfiability of P leads to a process with no behaviour, namely 5. Consequently, if the restricted 
predicates do not include P, the resulting process is up itself (see (As)). Inhibiting the only action a 
process a.t can perform leads to a new process that, in the best case, satisfies some of the predicates in 
V x satisfied by t (by (rlj)) if Q ^ V x (see (Ag)). Whenever the restricted action set B does not contain 
the only action a process a.t can perform, then it is safe to give up B (see (Aio)). As a process a.t only 
satisfies the predicates also satisfied by t, it is straightforward to see that d^^a.t) is equivalent to the 
process obtained by propagating the restrictions on implicit predicates deeper into the behaviour of t 
(see (An)). Axiom (A12) is given in conformity with the semantics of _+_ (s + t encapsulates both the 
behaviours of s and t). 

Remark 1. For the sake of brevity and readability, in Fig. \5\we presented (Ag), which is a schema with 
infinitely many instances. However, it can be replaced by a finite family of axioms. See Appendix D in 
the full version of the paper available at http : //www . ru . is/f acuity/iuca/PAPERS/axgsos . pdf f or details. 

Theorem 2. The following statements hold for E FTP : 

1. E FTP is sound for bisimilarity on T(H FTP ). 
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2. Vt G r(Sf 7P ),3t / G T(T, FTP ) s.t. E a FTP ht = t'. 

As proving completeness for FTP 9 can be reduced to showing completeness for FTP (already proved 
in Theorem [T]), the following result is an immediate consequence of Theorem |2j 

Corollary 1. E^ TP is sound and complete for bisimilarity on T(Ep TP ). 

4 Smooth and distinctive operations 

Recall that our goal is to provide a sound and ground-complete axiomatization for bisimilarity on systems 
specified in the preg format. As the preg format is too permissive for achieving this result directly, our 
next task is to find a class of operations for which we can build such an axiomatization by "easily" 
reducing it to the completeness result for FTP, presented in Theorem [T] In the literature, these operations 
are known as smooth and distinctive 0. As we will see, these operations are incrementally identified by 
imposing suitable restrictions on preg rules. The standard procedure is to first find the smooth operations, 
based on which one determines the distinctive ones. 

Definition 6 (Smooth operation). 

1. A preg transition rule is smooth if it is of the following format: 

{xi yi\i G /+} {PiXi\ieJ + } 

{xi-^ \ieI~,beBi} {^Qxi\i g J~,Q g QJ 
f(xi,...,x{) ^C[x,y\ 

where 

(a) I + , J + ,I~,J~ disjointly cover the set L = { 1 ,...,/ }, 

(b) in the target C[x,y\ we allow only: yi (i G Xi (i G I~ U J~). 

2. A preg predicate rule is smooth if it has the form above, its premises satisfy condition dial ) and its 
conclusion is P(f(x\,. . . ,xi))for some P EV. 

3. An operation f of a preg system is smooth if all its (transition and predicate) rules are smooth. 
By Definition |6l a rule p is smooth if it satisfies the following properties: 

• a position i cannot be tested both positively and negatively at the same time, 

• positions tested positively are either from I + or J + and they are not tested for the performance of 
multiple transitions (respectively, for the satisfiability of multiple predicates) within the same rule, 
and 

• if p is a transition rule, then the occurrence of variables at positions i G I + U J + is not allowed in 
the target of the consequent of p. 

Remark 2. Note that we can always consider a position i that does not occur as a premise in a rule 
for f as being negative, with the empty set of constraints (i.e. either i G I~ and Bi = §, or i G J~ and 

Qi = 0). 

Definition 7 (Distinctive operation). An operation f of a preg system is distinctive if it is smooth and: 

• for each argument i, either all rules for f test i positively, or none of them does, and 

• for any two distinct rules for f there exists a position i tested positively, such that one of the 
following holds: 
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- both rules have actions that are different in the premise at position i, 

- both rules have predicates that are different in the premise at position i, 

- one rule has an action premise at position i, and the other rule has a predicate test at the 
same position i. 

According to the first requirement in Definition |7J we state that for a smooth and distinctive operation 
/, a position i is positive (respectively, negative) for / if there is a rule for / such that i is tested positively 
(respectively, negatively) for that rule. 

The existence of a family of smooth and distinctive operations "describing the behaviour" of a general 
preg operation is formalized by the following lemma: 

Lemma 3. Consider a preg system G. Then there exist a preg system G', which is a disjoint extension of 
G and FTP, and a finite axiom system E such that 

1. E is sound for bisimilarity over any disjoint extension G" ofG', and 

2. for each term t in T(E(j) there is some term t' in T(Eg») such that t' is built solely using smooth 
and distinctive operations and E proves t = t'. 

4.1 Axiomatizing smooth and distinctive preg operations 

To start with, consider, for the good flow of the presentation, that we only handle explicit predicates 
(i.e., we take V 1 = 0). Towards the end of the section we discuss how to extend the presented theory 
to implicit predicates. We proceed in a similar fashion to by defining a set of laws used in the 
construction of a complete axiomatization for bisimilarity on terms built over smooth and distinctive 
operations. The strength of these laws lies in their capability of reducing terms to their head normal 
form, thus reducing completeness for general preg systems to completeness of Eftp (which has already 
been proved in Section |X2l ). 

Definition 8. Let f be a smooth and distinctive l-ary operation of a preg system G, such that FTP 9 C G. 

1. For a positive position i G L = {1, ...,/}, the distributivity law for i w.r.t. f is given as follows: 

f(Xi,. . .,Xt + X", ...,Xi) = f(Xi,. ..,X-,...,Xi) + f(Xi,. ..,X",...,Xi). 

2. For a rule p G IZfor f the trigger law is, depending on whether p is a transition or a predicate 
rule: 



f(X) 

where 



c.C[X,y\ ,p£TZ A (action law) 

up , p G (predicate law) 




,iel + 

Xi = I K Pi , 

3. Suppose that for i G L, term Xi is in one of the forms 6, Zi, Kp i ,a.Zi,a.Zi + z\or Kp i + Zi. Suppose 
further that for each rule for f there exists Xj G X (j G {1, . . . ,1}) s.t. one of the following holds: 

• j G I + and (Xj = 5 or Xj = b.Zj (b ^ aj) or Xj = kq, for some Q), 
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• j G J + and (Xj = 5 or Xj = kq (Q ^ Pj) or Xj = b.Zj, for some b), 

• j G I~~ and Xj = b.Zj + zL where b G Bj, 

• j £ J~ and Xj = kq + Zj, where Q G Qj. 

77?e« f/ze deadlock law is as follows: 

f(X)=6. 

Example 1. Consider the right-biased sequential composition operation _; r _, whose semantics is given 
by the rules ^±y__^. xlyl an( ^ x ^ y \ where 1 and t are, respectively, the immediate termi- 

J x -r y ^ y ,' (x ; r y)V (x ; r yft' * \ > r J' 

nation and immediate divergence predicates. _ ; r _ is one of the auxiliary operations generated by the 
algorithm for deriving smooth and distinctive operations when axiomatizing the sequential composition 
in the presence of the two mentioned predicates. 

The laws derived according to Definition |S]/or this system are: 

{x + y)fz = xfz + yfz 6fy =5 
xf(y + z) = x f y + z ; r z h\- f y =5 

h f a -y = a -v a - x fy = 5 



Theorem 3. Consider G a preg system such that FTP" C G. Let S C T,q \ T,p TP be a collection of 
smooth and distinctive operations of G. Let Eq be the finite axiom system that extends Ef TP with the 
following axioms for each f G S: 

• for each positive argument i of f, a distributivity law (Definition \8\l\) . 

• for each transition rule for f, an action law (Definition I812D , 

• for each predicate rule for f, a predicate law (Definition \8\2\ . and 

• all deadlock laws for f (Definition\8j3}. 

The following statements hold for Eq, for any G' such that G C G': 

1. Eq is sound for bisimilarity on T(Eqi). 

2. Eq is head normalizing for T(S U Sfjp). 

Obtaining the soundness of the action law (Definition 18121 ) requires some care when allowing for 
specifications with implicit predicates (V x ^ 0). Consider a scenario in which a transition rule for a 
smooth and distinctive operation f is of the form — — = — . Assume the closed instantiation X = s, 

f(X)^C[X,y\ 

y = t and assume that P(c.C[s,t\) holds for some predicate P in V 1 '. This means that P(C[s,t\) holds. 
In order to preserve the soundness of the action law, P(f(s)) should also hold, but this is impossible 
since / is distinctive. One possible way of ensuring the soundness of the action law in the presence of 
implicit predicates is to stipulate some syntactic consistency requirements on the language specification. 
One sufficient requirement would be that if predicate rule pnjrggrj is derivable, then the system should 

contain a predicate rule pj^M) with H" C H' . This is enough to guarantee that if the right-hand side of 
the action law satisfies P then so does the left-hand side. 
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5 Soundness and completeness 

Let us summarize our results so far. By Theorem[3l it follows that, for any preg system G □ FTP 9 , there 
is an axiomatization that is head normalizing for T(S U T*p TP ), where £ C \ is a collection of 
smooth and distinctive operations of G. Also, as hinted in Section [4] (Lemma [3]), there exists a sound 
algorithm for transforming general preg operations to smooth and distinctive ones. 

So, for any preg system G, we can build a preg system G' □ G and an axiomatization E^?/ that is 
head normalizing for T(£g</). This statement is formalized as follows: 

Theorem 4. Let G be a preg system. Then there exist G' □ G a«<f a finite axiom system Eqi such that 

1. Eqi is sound for bisimilarity on T(T,qi), 

2. Eqi is head normalizing for T(Eqi), 

and moreover, G' and Eqi can he effectively constructed from G. 

Proof. The result follows immediately by Theorem [3] and by the existence of an algorithm used for 
transforming general preg to smooth and distinctive operations. □ 

Remark 3. Theorem^guarantees ground-completeness of the generated axiomatization for well-founded 
preg specifications, that is, preg specifications in which each process can only exhibit finite behaviour. 

Let us further recall an example given in |2). Consider the constant u, specified by the rule u A 
oj. Obviously, the corresponding action law u = a.u will apply for an infinite number of times in the 
normalization process. So the last step in obtaining a complete axiomatization is to handle infinite 
behaviour. 

Let t and t' be two processes with infinite behaviour (remark that the infinite behaviour is a conse- 
quence of performing actions for an infinite number of times, so the extension to predicates is not a cause 
for this issue). Since we are dealing with finitely branching processes, it is well known that if two process 
terms are bisimilar at each finite depth, then they are bisimilar. One way of formalizing this requirement 
is to use the well-known Approximation Induction Principle (AIP) EG). 

Let us first consider the operations 7r n (-), n G N, known as projection operations. The purpose of 
these operations is to stop the evolution of processes after a certain number of steps. The AIP is given by 
the following conditional equation: 

x = y if vr n (x) = vr n (y) (Vn G N). 

We further adapt the idea in [2j to our context, and model the infinite family of projection operations 
7r n (-), n G N, by a binary operation • / • defined as follows: 

a;4i' /iA/i' Px 

where c is an arbitrary action. Note that •/• is a smooth and distinctive operation. 

The role of variable h is to "control" the evolution of a process, i.e., to stop the process in performing 
actions, after a given number of steps. Variable h (the "hourglass" in (2l) will always be instantiated with 
terms of the shape c n , inductively defined as: c° = 5, c n+1 = c.c n . 

Let G = (Eq,1Zq) be a preg system. We use the notation G i to refer to the preg system (Eq U 
{•/ -},TZq U {(rZio), (r/n)}) - the extension of G with ■/• . Moreover, we use the notation Eaip to refer 
to the axioms for the smooth and distinctive operation •/•, derived as in Section |4~T1 - Definition [8] 

We reformulate AIP according to the new operation •/• : 

x = y if x/c n = y/c n (Vn G N) 
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Lemma 4. AIP is sound for bisimilarity on T(Yiprp ). 

In what follows we provide the final ingredients for proving the existence of a ground-complete 
axiomatization for bisimilarity on preg systems. As previously stated, this is achieved by reducing com- 
pleteness to proving equality in FTP. So, based on AIP, it would suffice to show that for any closed 
process term t and natural number n, there exists an FTP term equivalent to t at moment n in time: 

Lemma 5. Consider G a preg system. Then there exist G' □ G / and Eqi with the property: Vi € 
T(£ G /),Vn 6 N,3tf E T(£ F77 >) s.t. E G > h t/c n = t'. 

At this point we can prove the existence of a sound and ground-complete axiomatization for bisimi- 
larity on general preg systems: 

Theorem 5 (Soundness and Completeness). Consider G a preg system. Then there exist G' □ G / and 
Eqi a finite axiom system, such that Eqi UE^ip is sound and complete for bisimilarity on T(Y>qi). 

6 Motivation for handling predicates as first-class notions 

In the literature on the theory of rule formats for Structural Operational Semantics (especially, the work 
devoted to congruence formats for various notions of bisimilarity), predicates are often neglected at first 
and are only added to the considerations at a later stage. The reason is that one can encode predicates 
quite easily by means of transition relations. One can find a number of such encodings in the literature — 

see, for instance, iflTl [T9l . In each of these encodings, a predicate P is represented as a transition 

p 

relation — > (assuming that P is a fresh action label) with a fixed constant symbol as target. Using this 
translation, one can axiomatize bisimilarity over preg language specifications by first converting them 
into "equivalent" standard GSOS systems, and then applying the algorithm from Q to obtain a finite 
axiomatization of bisimilarity over the resulting GSOS system. 

In light of this approach, it is natural to wonder whether it is worthwhile to develop an algorithm to 
axiomatize preg language specifications directly. One possible answer, which has been presented several 
times in the literature lfl9l . is that often one does not want to encode a language specification with pred- 
icates using one with transitions only. Sometimes, specifications using predicates are the most natural 
ones to write, and one should not force a language designer to code predicates using transitions. (How- 
ever, one can write a tool to perform the translation of predicates into transitions, which can therefore 
be carried out transparently to the user/language designer.) Also, developing an algorithm to axiomatize 
GSOS language specifications with predicates directly yields insight into the difficulties that result from 
the first-class use of, and the interplay among, various types of predicates, as far as axiomatizability prob- 
lems are concerned. These issues would be hidden by encoding predicates as transitions. Moreover, the 
algorithm resulting from the encoding would generate axioms involving predicate-prefixing operators, 
which are somewhat unintuitive. 

Naturalness is, however, often in the eye of the beholder. Therefore, we now provide a more technical 
reason why it may be worthwhile to develop techniques that apply to GSOS language specifications with 
predicates as first-class notions, such as the preg ones. Indeed, we now show how, using predicates, one 
can convert any standard GSOS language specification G into an equivalent positive one with predicates 
G+. 

Given a GSOS language G, the system G + will have the same signature and the same set of actions as 
G, but uses predicates cannot(a) for each action a. The idea is simply that "xcannot(a)" is the predicate 
formula that expresses that "x does not afford an a-labelled transition". The translation works as follows. 
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1. Each rule in G is also a rule in G + , but one replaces each negative premise in each rule with its 
corresponding positive predicate premise. This means that x becomes xcannot(a). 

2. One adds to G + rules defining the predicates cannot (a), for each action a. This is done in such 
a way that pcannot(a) holds in G + exactly when p -/» in G, for each closed term p and action a. 
More precisely, we proceed as follows. 

(a) For each constant symbol / and action a, add the rule 



/cannot (a) 

whenever there is no transition rule in G with / as principal operation and with an a-labelled 
transition as its consequent, 
(b) For each operation / with arity at least one and action a, let R(f,a) be the set of rules in 
G that have / as principal operation and an a-labelled transition as consequent. We want 
to add rules for the predicate cannot (a) to G + that allow us to prove the predicate formula 
f(pi,- ■ ■ ,pi) cannot(a) exactly when f(pi,. ■ ■ ,pi) does not afford an a-labelled transition in 
G. This occurs if, for each rule in R(f,a), there is some premise that is not satisfied when 
the arguments of / are pi,...,pi. To formalize this idea, let H(R(f,a)) be the collection 
of premises of rules in R(f,a). We say that a choice function is a function <f> : R(f,a) — > 
H(R(f,a)) that maps each rule in R(f,a) to one of its premises. Let 

neg(x-^x') = xcannot(a) and 
neg(x -?>) = x A- x', for some x'. 

Then, for each choice function 4>, we add to G + a predicate rule of the form 

{neg(<KQ)|gefl(/,a)} 
f(xi,...,x{) cannot (a) 

where the targets of the positive transition formulae in the premises are chosen to be all 
different. 

The above construction ensures the validity of the following lemma. 
Lemma 6. For each closed term p and action a, 

1. p p' in G if, and only if, p—>p' in G + ; 

2. pcannot(a) in G + if, and only if, in G + (and therefore in G). 

This means that two closed terms are bisimilar in G if, and only if, they are bisimilar in G + . More- 
over, two closed terms are bisimilar in G + iff they are bisimilar when we only consider the transitions 
(and not the predicates cannot(a)). 

The language G + modulo bisimilarity can be axiomatized using our algorithm without the need for 
the exponentially many restriction operators. The conversion to positive GSOS with predicates discussed 
above does incur in an exponential blow-up in the number of rules, but it gives an alternative way of gen- 
erating ground-complete axiomatizations for standard GSOS languages to the one proposed in 13. In 
general, it is useful to have several approaches in one's toolbox, since one may choose the one that is 
"less expensive" for the specific task at hand. Moreover, using positive GSOS operations, one can also 
try to extend the methods from the full version of the paper (H (see Section 7. 1 in the technical report 
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available at |http : //www . ru . is/-iuca/PAPERS/csOH994 . ps) to optimize these axiomatizations. We are cur- 
rently working on applying such methods to positive preg systems with universal as well as existential 
predicates, and on extending our tool Q accordingly. 

It is worth noting that the predicates cannot (a) are not implicit, therefore the restrictions presented 
at the end of Section l4~T1 need not to be imposed. 

7 Conclusions and future work 

In this paper we have introduced the preg rule format, a natural extension of GSOS with arbitrary predi- 
cates. Moreover, we have provided a procedure (similar to the one in J2j) for deriving sound and ground- 
complete axiomatizations for bisimilarity of systems that match this format. In the current approach, 
explicit predicates are handled by considering constants witnessing their satisfiability as summands in 
tree expressions. Consequently, there is no explicit predicate P satisfied by a term of shape £j 6 jaj.tj. 

The procedure introduced in this paper has also enabled the implementation of a tool [3 ) that can be 
used to automatically reason on bisimilarity of systems specified as terms built over operations defined 
by preg rules. 

Several possible extensions are left as future work. It would be worth investigating the properties 
of positive preg languages. By allowing only positive premises we eliminate the need of the restriction 
operators (d^, q) during the axiomatization process. This would enable us to deal with more general 
predicates over trees, such as those that may be satisfied by terms of the form a.t where a ranges over 
some subset of the collection of actions. 

Another direction for future research is that of understanding the presented work from a coalgebraic 
perspective. The extensions from [2] to the present paper, might be thought as an extension from coalge- 
bras for a functor £P(A x Id) to a functor ^(V) x^(ix Id) where & is the powerset functor, A is the 
set of actions and V is the set of predicates. Also the language FTP coincides, apart from the recursion 
operator, with the one that would be obtained for the functor ^{V) x &{A x Id) in the context of Kripke 
polynomial coalgebras |9). 

Finally, we plan to extend our axiomatization theory in order to reason on the bisimilarity of guarded 
recursively defined terms, following the line presented in |£TJ . 
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